catch me if you can! detecting sandbox evasion techniques · catch me if you can! detecting sandbox...
TRANSCRIPT
Enigma 2020 – San Francisco, CA, US
CATCH ME IF YOU CAN! DETECTING SANDBOX EVASION TECHNIQUES
Francis Guibernau & Ayelen Torello
Enigma 2020 – San Francisco, CA, US
ABOUT US
Francis Guibernau@OutrageousLynx
Security Researcher at Deloitte
Ayelen Torello @TorelloAyelen
Security Researcher at Deloitte
Enigma 2020 – San Francisco, CA, US
Overview - agenda
Identified TechniquesList of techniques and the different categories
defined within Environment Awareness
APT Insight & ConclusionHow we use what we learned in order to
profile and track APT groups.
Definition of the ‘Environment Awareness’ master technique and the purpose behind it
Environment Awareness
Multiple malware examples from each identified category.
In the wild Examples
Enigma 2020 – San Francisco, CA, US
ENVIRONMENT AWARENESS
Environment Awareness is the name provided to the set of high-level techniques used by attackers to attempt to detect
the sandboxing environments, virtual machines or the presence of forensic tools.
Enigma 2020 – San Francisco, CA, US
Techniques
System Architecture1 3 Sub-Techniques
System Background2
TIME-BASED detection3
USER-Based Detection4
Network-Based Detection5
6 Sub-Techniques
5 Sub-Techniques
3 Sub-Techniques
3 Sub-Techniques
Enigma 2020 – San Francisco, CA, US
SYSTEM ARCHITECTURE
System Specifications
System Memory
Disk Properties
CPU Core Count
Hardware Components
Thermal Check
Peripheral Check
Hardware IDs
System footprint
BIOS
UEFI
EFI
Enigma 2020 – San Francisco, CA, US
System ARCHITECTURE
GravityRAT
Hardware IDs
Reference: https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html
Thermal Check
HardwareComponents
HardwareComponents
Enigma 2020 – San Francisco, CA, US
System ARCHITECTURE
GravityRAT
Reference: https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html
System Specifications
CPU Core Count
Enigma 2020 – San Francisco, CA, US
SYSTEM BACKGROUND
System instrumentation
CPUID Based Instructions
WMI Queries
Process and services
Registry Keys
Mac addresses
System fingerprinting
Artifacts presence
Enigma 2020 – San Francisco, CA, US
SYSTEM BACKGROUND
System instrumentation
CPUID Based Instructions
WMI Queries
Process and services
Registry Keys
Mac addresses
System fingerprinting
Artifacts presenceHKEY_LOCAL_MACHINE\SOFTWARE\Oracle\Virtual Box Guest Additions
00:05:69:xx:xx:xx VMWare00:0C:29:xx:xx:xx VMWare00:1C:14:xx:xx:xx VMWare00:50:56:xx:xx:xx VMWare00:15:5D:xx:xx:xx Hyper V00:16:3E:xx:xx:xx Xen54:52:00:xx:xx:xx KVM
C:\windows\System32\Drivers\VBoxMouse.sysC:\windows\System32\Drivers\VBoxGuest.sysC:\windows\System32\Drivers\VBoxSF.sysC:\windows\System32\Drivers\VBoxVideo.sys
Enigma 2020 – San Francisco, CA, US
SYSTEM BACKGROUND
WMI Queries
GravityRAT
Reference: https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html
System instrumentation
Enigma 2020 – San Francisco, CA, US
SYSTEM BACKGROUND
GravityRAT
Reference: https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html
Mac addresses
Enigma 2020 – San Francisco, CA, US
SYSTEM BACKGROUND
GravityRATRegistry Keys
Reference: https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html
Enigma 2020 – San Francisco, CA, US
TIME-BASED DETECTION
time bomb
Scheduled download
System events
Extended sleep
System uptime
Enigma 2020 – San Francisco, CA, US
TIME-BASED DETECTION
Reference: https://unit42.paloaltonetworks.com/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/
Systemuptime
upatre
Enigma 2020 – San Francisco, CA, US
USER-BASED DETECTION
software and applications
user interaction
user properties and configurations
Enigma 2020 – San Francisco, CA, US
USER-BASED DETECTION
user interaction
Enigma 2020 – San Francisco, CA, US
USER-BASED DETECTION
fin7
user interaction
Enigma 2020 – San Francisco, CA, US
network-BASED DETECTION
Open Ports
Connectivity Availability
Network Check
Enigma 2020 – San Francisco, CA, US
NETWORK-BASED DETECTION
Network Check
PowerShell Empire
Enigma 2020 – San Francisco, CA, US
Results – APT Tracking
suspected
N. Korea7,5%
suspectedRussia 12% Unknown
28%
suspectedCHINA 30%
According to Vendor’s Group Attribution
Enigma 2020 – San Francisco, CA, US
Results – APT Tracking
Time-based Detection
Time-based Detection
System Background
Network-based Detection
APT 1
TA505
APT 28
Lazarus
According to Vendor’s Group Attribution
Enigma 2020 – San Francisco, CA, US
T1497 – Virtualization/Sandbox Evasion
RESULTS & INSIGHT
Improvement on APT Insight
APT OverlappingEvasion Techniques knowledge
Mitre Framework Updated (2019)
Enigma 2020 – San Francisco, CA, US
Closing remarks
• Evasion techniques are constantly evolving.
• Use different profiles for your Sandbox and avoid generic ones.
• Keep all your systems up-to-date to avoid Malware exploiting known vulnerabilities.
Enigma 2020 – San Francisco, CA, US
QUESTIONS